CVE-2025-38392

In the Linux kernel, the following vulnerability has been resolved:

idpf: convert control queue mutex to a spinlock

With VIRTCHNL2CAPMACFILTER enabled, the following warning is generated on module load:

[ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 [ 324.701684] inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 1582, name: NetworkManager [ 324.701689] preemptcount: 201, expected: 0 [ 324.701693] RCU nest depth: 0, expected: 0 [ 324.701697] 2 locks held by NetworkManager/1582: [ 324.701702] #0: ffffffff9f7be770 (rtnlmutex){....}-{3:3}, at: rtnlnewlink+0x791/0x21e0 [ 324.701730] #1: ff1100216c380368 (xmitETHER){....}-{2:2}, at: devopen+0x3f0/0x870 [ 324.701749] Preemption disabled at: [ 324.701752] [<ffffffff9cd23b9d>] _devopen+0x3dd/0x870 [ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary) [ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022 [ 324.701774] Call Trace: [ 324.701777] <TASK> [ 324.701779] dumpstacklvl+0x5d/0x80 [ 324.701788] ? _devopen+0x3dd/0x870 [ 324.701793] _mightresched.cold+0x1ef/0x23d <..> [ 324.701818] _mutexlock+0x113/0x1b80 <..> [ 324.701917] idpfctlqcleansq+0xad/0x4b0 [idpf] [ 324.701935] ? kasansavetrack+0x14/0x30 [ 324.701941] idpfmbclean+0x143/0x380 [idpf] <..> [ 324.701991] idpfsendmbmsg+0x111/0x720 [idpf] [ 324.702009] idpfvcxnexec+0x4cc/0x990 [idpf] [ 324.702021] ? rcuiswatching+0x12/0xc0 [ 324.702035] idpfadddelmacfilters+0x3ed/0xb50 [idpf] <..> [ 324.702122] _hwaddrsyncdev+0x1cf/0x300 [ 324.702126] ? findheldlock+0x32/0x90 [ 324.702134] idpfsetrxmode+0x317/0x390 [idpf] [ 324.702152] _devopen+0x3f8/0x870 [ 324.702159] ? _pfxdevopen+0x10/0x10 [ 324.702174] _devchangeflags+0x443/0x650 <..> [ 324.702208] netifchangeflags+0x80/0x160 [ 324.702218] dosetlink.isra.0+0x16a0/0x3960 <..> [ 324.702349] rtnl_newlink+0x12fd/0x21e0

The sequence is as follows: rtnlnewlink()-> _devchangeflags()-> _devopen()-> devsetrxmode() - > # disables BH and grabs "dev->addrlistlock" idpfsetrxmode() -> # proceed only if VIRTCHNL2CAPMACFILTER is ON _devucsync() -> idpfaddmacfilter -> idpfadddelmacfilters -> idpfsendmbmsg() -> idpfmbclean() -> idpfctlqcleansq() # mutexlock(cqlock)

Fix by converting cq_lock to a spinlock. All operations under the new lock are safe except freeing the DMA memory, which may use vunmap(). Fix by requesting a contiguous physical memory for the DMA mapping.